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ABSTRACT 


The S-Boxes used in the AES algorithm are generated by field extensions of the 
Galois field over two elements, ealled GF(2). Therefore, understanding the field 
extensions provides a method of analysis, potentially effieient implementation, and 
efficient attacks. Different polynomials can be used to generate the fields, and we explore 
the set of polynomials +x + over GF(2”) where a is a primitive element of GF(2”). 

The results of this work are the first steps towards a full understanding of the field 

o 

that AES computation occurs in—GF(2 ). The charts created with the data we gathered 
detail which power of the current primitive root is equal to previous primitive roots for 
fields up through GF(2'^) created by polynomials of the form + x + «' for a primitive 
element a . Currently, a C++ program will also provide all the primitive polynomials of 
the form x +x + a' for a primitive element a over the fields through GF(2 ). This 
work also led to a deeper understanding of certain elements of a field and their equivalent 
shift register state. In addition, given an irreducible polynomial /(x) = x^ + a'x + over 
GF(2”), the period (and therefore the primitivity) can be determined by a new theorem 
without running the shift register generated by^.^). 
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I. INTRODUCTION 


The S-Boxes used in the AES algorithm are generated by field extensions of the 
Galois field over two elements, ealled GF(2). Therefore, understanding the field 
extensions provides a method of analysis, potentially effieient implementation, and 
efficient attacks. Different polynomials can be used to generate the fields—the AES 
implementation uses one set, Canright [1] uses another, Conway [2] uses another way, 
and we explore the set of polynomials +x + a^ over GE(2”) where a is a primitive 
element of GE(2”). In particular, we look at the structure of the constant coefficients of 
the polynomials. 

A primitive element of a Galois field of size is an element whose powers are all 
different. Since there are - 1 of these powers, these powers actually exhaust all of the 
nonzero elements of the field. By definition of a field extension, the field that is being 
extended is a subfield of the larger field. So, elements that are in the subfield are also in 
the extension field. Eor example, for a primitive element m of the extension field and for 
each of the elements s in the subfield, there exists a power e of m so that s = nf. 

Suppose x^+x + a^ is a polynomial over the field GE(2") with a being a 
primitive element of GE(2”). Using an algorithm different from the typical algorithm for 
building fields with Galois shift registers, we are able to show whether or not the 
polynomial is irreducible (i.e., can be factored) over that field. With a new theorem, we 
are able to determine whether or not the polynomial is primitive when it is also 
irreducible. In addition, we use the alternate algorithm to discover information about the 
primitive roots from previous fields in the hopes that this will further our understanding 
of the fields built by these particular polynomials. 
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II. BACKGROUND 


In order to understand the algorithms and methods presented in this paper, we 
need to review some mathematieal eoneepts as well as other topies ineluding linear shift 
registers. 

A. FIELD THEORY REVIEW 

We need to first review some definitions and results from abstraet algebra. These 
results ean be found in any standard algebra text sueh as Dummit and Foote’s Abstraet 
Algebra [3] or Gallian’s Contemporary Abstraet Algebra [4]. 

1, Groups 

A group G is a set of elements with a binary operation defined on those elements 
that has the following properties: 

1. The binary operation is elosed over the group, meaning that the binary 
operation performed on any two elements of the group will result in 
another element of the group. 

2. The binary operation is assoeiative. 

3. There exists an identity element for the operation. 

4. Eaeh element of the group has an inverse for the operation. 

An example of a group where the binary operation is addition modulo n is the set 
of integers 0,1,2,...,n-1, denoted . In this group, 0 is the identity, and n-k is the 
inverse of k. 

2. Rings and Ideals 

A ring R is a set with 2 binary operations + and x, ealled addition and 
multiplioation, such that the following properties hold: 

1. (R, +) is a commutative group. 

2. Multiplication is associative. 

3. The distributive laws hold in R: for all a, b, c in R: 

(a + b)xc = (axc) + (bxc) and ax (b + c) = (axb) + (axc). 

A subring iS of a ring R is a subset of R that is also a ring with the operations of R. 
A subring ^4 of a ring R is an ideal of R if for all r in R and for all a m A, ra and ar are in 
A. In other words, A absorbs the elements from R. A ring R is a commutative ring with 
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unity if multiplication is commutative and there exists a multiplieative identity in R. 
Suppose i? is a eommutative ring with unity. Let a be an element in R. Then the set 
(a) = {ra \ r ^ R} is an ideal of R ealled a principal ideal. 

Let i? be a ring and let ^4 be a subring of R. If i? is a eommutative ring, then 
i?[x] = +... + ajX + ao | a. e i?} is the ring of polynomials over R. 

Theorem 1; If ^4 is an ideal, then we may form the factor ring 
R ! A = {r + A\r & R) . In this ease, the set of cosets {r + A\r & R) is a ring under the 
operations; 

1. + (t “1“ Al^ = (^s f A and 

2 . (s'+ y4)(t + y4) = (5t) +y4 for 5 and t ini?. 

For example, let M[x] be the ring of polynomials whose eoeffieients are real 
numbers. Let (-^^+1) be the prineipal ideal generated by x^+1. So, (-^^+1) = 

{/(x)(x^+1) I/(x) e M[x]}. Then, the faetor ring M[x]/^x^ + l^ = 

{g(x) + ^x^+l) I g(x) G M[x]} . Now, sinee g(x) is in R[x], g(x) may be written as 

g(x) = q{x){x^ +1) + r{x) where the degree of r(x) is less than the degree of x^ +1 by the 
division algorithm. So, r{x) = ax + b for some a and b in the real numbers. Therefore, 

M[x] / (x^ l) “ {s'W + +1) I §(^) ^ } 

= {^(x)(x^ + 1) + f~ix) + {x^ +1^} 

= {r(x) + (x^ +1^ I r(x) e M[x]} beeause the ideal (x^ +1^ absorbs the 

term q{x){x^ +1) 

= {ax + b + {x^ +1^ I a,h e M} by definition of r(x). 

The notation ean be simplified by denoting a eoset ax + b + {x^ +1^ by its coset 
representative ax + b. 

An ideal ^4 of a ring i? is a proper ideal of i? if ^4 is a proper subset of i?. A proper 
ideal ^4 of i? is a maximal ideal of R if, whenever B is an ideal of R and A^B <^R , then 
B = A ox B = R . 


4 



3. Fields 

A field F is a set of elements with two binary operations + and •, usually ealled 
addition and multiplication, defined on it that has specific properties: 

1 . (F,+) is a commutative group with identity 0. 

2 . (F-{0},*)isa commutative group with identity 1. 

3. The distributive law holds for all a, b, c in F: 

a»(b + c) = (a'b) + (a»c). 

Familiar fields include the rational numbers, the real numbers, and the complex 
numbers. However, we are interested in fields with only a finite number of elements, 
referred to as finite fields. 

An example of a finite field with 2 elements is the set {0, 1}. Addition and 
multiplication in this field are defined as follows: 


0 + 0 = 0 

o 

* 

o 

II 

o 

0 + 1 = 1 

0*1=0 

1+0 = 1 

* 

o 

II 

o 

1 + 1=0 

1*1 = 1 


Table 1. Multiplication and Addition Rules in the Field {0, 1} 


For this field, (logical) XOR is the addition operation and (logical) AND is the 
multiplication operation. 

Theorem 2: Finite fields have only a prime or prime power number of elements. 

The fields with a prime number of elements are represented by the integers mod 
p, for any prime p. Addition and multiplication are done modulo p. A finite field that has 
p" elements for a prime p and any positive integer n is called a Galois field, denoted 
Gvipy 
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In a field, the group of nonzero elements is cyclic, meaning that there is at least 
one element whose powers exhaust all of the nonzero elements of the field. The order of 
an element « of a group is the smallest positive integer n sueh that «" = 1. 

Theorem 3: The order of an element in a group also divides the number of 
elements in a group. 

Theorem 4: Let i? be a eommutative ring with unity and let A be an ideal of R. 
Then R! A is a field if and only if ^4 is a maximal ideal. 

4, Constructing a Field of p" Elements 

A polynomial over a particular field F is a polynomial 
a^x" +a„_ix" ' +... + a^x + a^ sueh that each coefficient at is an element of the field F. A 

polynomials.^) over a field F is irreducible iif{x) cannot be factored as a product of two 
polynomials, both defined over F and both of degree lower thanS.^)- Otherwise, S.^) is 
reducible. 

Theorem 5: Let F be a field and let p{x) be in F[x]. Then [p{x)) is a maximal 
ideal in F[x] if and only if p{x) is irreducible over F. 

Theorem 6: If p{x) is an irreducible polynomial, then F[x]/ {p{x)) is a field. 

In other words, to create a field that has a prime power p’" of elements, we need an 
irreducible polynomials.^) of degree m over the prime field GF(/7). 

For example, consider Zj = {0,1} and the polynomial /(x) = + x +1. If f{x) 

were reducible, it would have at least one factor of degree one. This would imply thatS^) 
would have a root in Zj. But /(O) = /(1) = 1 implies that there are no roots ofS.^) in ^2 • 

So, J{x) is irreducible. Therefore, Z 2 [x]/(/(x)) is a field. And 

Z 2 [x]/^x^ +x + l^ = {ax^ +hx + c + ^x^ +x + l^ I a,h,c e Zj} is a field of 2^ =8 elements. 

If we designate a coset by its coset representative, then the elements of the field are 
{0,1, X, X + 1, x^, x^ + 1, x^ + X, x^ + X + 1} . 
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5, Different Representations of Elements of a Field 

There are actually several different ways to represent the elements of a finite field. 
Above is an example of creating a field from the factor ring F[x]/ where F is a 

field and p{x) is an irreducible polynomial. If the degree of p{x) is m and F has p^ 
elements, then the field F[x]/(/>(x)) is called a degree m extension field of F. The 
elements of the larger field can be expressed as m-tuples chosen from the field F. 

Theorem 7: Let F{x'\l (^p{x)'^ be an extension field such that F is a field and p{x) 

is a degree m irreducible polynomial. Then the elements of the extension field are 
isomorphic to the polynomials of degree less than m over F. 

Theorem 8: If F is a field and p{x) is an irreducible polynomial over F, then there 
exists a field K containing an isomorphic copy of F in which p{x) has a root. 

In other words, there exists an extension field F of F in which p{x) has a root. 

The order of a polynomial f{x) is the smallest integer n such that f{x) 
divides x" -1. A primitive polynomial is an irreducible polynomials.^) of degree m over 
GF(/7) such that the smallest n for which S.^) divides x" -1 is n = p"' - \. For example, 
consider /(x) = x^+x + l over GF(2). Note that SO) = 1 andSl) = 1- So, there are no 
roots ofSx) in GF(2). Therefore, S^) is irreducible over GF(2). Note also that addition 
and subtraction are the same over GF(2). Then, 

x' +1 _ x' +1 

x^+x + 1 x^+x + 1 

X^+1 , X 

-= 1 +-^- 

X +X+1 X +X+1 

x'+l 

-= x + l 

X + X + 1 

So, the smallest integer n such that x^ + x + l divides x” +1 is 3. Therefore, the 
order oifix) is 3 and it is primitive. 
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When creating the field GF(/7"') from GF(/7) and an irreducible polynomial^(x) of 
degree m, is not primitive, then multiplication is as follows: 

a{xyb{x) = c{x) (modulo p, modulo/(x)) 

where we reduce the product both modulo p and modulo the irreducible polynomials-^). 

However, multiplication can be accomplished much more easily if the irreducible 
polynomials.^) is also primitive. 

Theorem 9: If the polynomials-^) is primitive, then a root a of the polynomial 
J[x) is also primitive, meaning that the powers of a exhaust the nonzero elements of the 
field. 

Theorem 10: There is always a primitive element of the field with which we can 
perform multiplication in this convenient way. 

For example, let /(x) = x"^+x + l be a polynomial over GF(2). Note that f(0) = 
SI) = 1- So, fix) has no roots in GF(2) and therefore does not contain a degree 1 
polynomial as a factor. However, it could still factor into two degree 2 polynomials. The 
only possible degree 2 polynomial thatS-^) could factor into that does not itself factor 
into two degree 1 polynomials is x^ + x + l. But whenS-^) is divided by this polynomial, 
a remainder of 1 results. So, fix) does not factor into two degree 2 polynomials, and is 
therefore irreducible. Suppose that a is a root ofS-^)- Then, we can represent GF(2'^) as a 
set of polynomials in a of degree less than 4. However, if we find a primitive element in 
GF(2"^), we can also represent the nonzero elements of the field as powers of that 
primitive element. In this case, a happens to be primitive, and we can create a table that 
will simplify both addition and multiplication operations in the field. 

We verify that the order of a is 2"^ -1 = 15 , and that a is primitive. 

= («•(« + 1))^ = (a^ +«)^ 

= ((a^ + a)(a^ + a)){a^ +a) = {of + afi{a^ + a) 

6543 424 /i\3 

— Cl -h d + o! -t- c( = O! *(x + (X *(x + {cc + 1) + cr 
= {(X + l)c(^ + (cr + Y)ci + {cc +1) + cc^ 

= cc + cc + cc + cr + cr +1 + cr =l 
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So, the order of a divides 15 and eould be either 3, 5, or 15. However, 
and =a^»a = (a + l)a = a^ +a 7^1. Therefore, the order of a is 15 and it is 
primitive. Now we ean ereate a table of the two different representations of eaeh element 
of the field - one representation as a polynomial in a of degree less than 4 and the other 

as a power of « . In this ease, multiplieation ean now be defined by a‘»a^ = -i) ^ 


Element as a power of a 

Element as a polynomial in a 

a ° 

1 

a ' 

a 

a ^ 

a ^ 


a ^ 

a 

a +1 

a ^ 

a ^+a 

a ^ 

«^+a ^ 

a ^ 

a ^+a +1 

a ^ 

a^+1 

a ^ 

a^+a 

a 

a ^+a +1 

a “ 

a^+ a^+ a 

a 

a^+a^+a+l 

13 

a 

a^+a ^+1 

a 

a^+1 


Table 2. Table of the Two Representations of the Elements of the Field GF(2"^) 
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6, Building Fields with Different Extensions 

One can build fields with different irreducible polynomials as well as different 
degree extensions. 

Theorem 11; Fields of order p" are all isomorphic to GF(/?”). 

For example, the field GF(2^) can be built with three degree 2 extensions, one 
degree 4 extension followed by a degree 2 extension, or one degree 8 extension. 



Figure 1. Different Extensions from GF(2) to GF(2^) 

o 

First, we show the field GF(2 ) being built with three degree 2 extensions. 
Consider the polynomial /(x) = x^+x + l over GF(2). As we saw above, j{x) is 
irreducible and primitive. Therefore, GF(2)/^x^+x + l^ is a field of 4 elements and 

isomorphic to GF(2 ). Suppose a is a root The order of a is 3, and a is primitive. 

All of the nonzero elements of GF(2 ) can be expressed as powers of a as we showed 

2 2 

earlier. Now consider the field GF(2 ) and the polynomial g(x) = x +x + a . Since g(0) = 
g(l) = a and g(a) = g{a ) = a , g(x) is irreducible. Therefore, GF{2 )/(x +x + a) is 
isomorphic to GF(2"^). Let h be a root of g(x). Since h is a root of g(x). 
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g{b) = Z)^+Z) + a = 0 which implies = b +a An Table 2.3, we show that the order of b 
is 15. So, b is primitive and eaeh nonzero element of GF(2"^) ean be written as a power of 
b. The table of the powers of b is below. 



1 

h' 

b 

b^ 

b+a 

b^ 

a^b+a 

b^ 

b+1 

b^ 

a 

b^ 

ab 

b^ 

ab+a^ 

b^ 

b+a^ 

b^ 

ab+a 



h" 

a^b 


a^b+\ 


ab+\ 


a^b+a^ 


Table 3. Table of the Two Representations of the Elements of the Field GF(2"^) 

5 2 

Note that b = a . So even though a is an element of the smaller field GF(2 ), 
there is a eopy of it (as well as and = 1) in the bigger field GF(2'^). 

Consider the polynomial h{x) = x^ +x + b^ over GF(2'^). It ean be shown that no 
elements of GF(2"^) are roots of h(x) similar to the way that we showed \ksLij{x) has no 
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roots in GF(2). So, h{x) cannot be factored and is irreducible. Therefore, GF{2'^)I {h{x)) 
is isomorphic to the field GF(2 ). Note that for this paper, we are mainly interested in 
degree 2 extensions of the form +x +a' for some primitive element a . In this case, 
we use a to denote a primitive element in GF(2 ), b to denote a primitive element in 

4 8 

GF(2 ), c to denote a primitive element in GF(2 ), d to denote a primitive element in 
GF(2‘^) and so on. 

g 

Now, we can also build GF(2 ) from GF(2) using a degree 4 extension followed 
by a degree 2 extension. For example, take GF(2) and the polynomial s{x) = x'^ + x + \. 
We have already shown that ^(x) is irreducible and that the root a of ^(x) is primitive. 
So, the field GF{2)lis{x)) is isomorphic to GF(2"^). Consider the polynomial 

t{x) = x^ + X + «" over GF(2'^). Again, it can be shown that t{x) is irreducible over GF(2"^) 
by showing that there are no roots of t{x) in GF(2"^) and that therefore, the polynomial 
cannot be factored. So, GF(2"^)/^t(x)) is a field of 2^ elements and is isomorphic to 
GF(2^). 

g g 

Since 2 is a power of a prime, we can also build GF(2 ) directly from GF(2) with 
just one extension of degree 8. Consider the polynomial v(x) = x^+x'^+x^+x + l over 
GF(2). Now v(0) = v(l) = 1, so there are no roots of v(x) in GF(2). Therefore, v(x) cannot 
be factored into any degree 1 polynomials. The only irreducible degree 2 polynomial over 
GF(2) is x^ + X +1, and the remainder when v(x) is divided by it is x +1. So, v(x) is not 
divisible by any degree 2 polynomials that do not themselves factor. There are two 
degree 3 irreducible polynomials over GF(2)—x^ + x + l and x^ + x^ +1. However, when 
v(x) is divided by each of them, the remainders are x +1 and x^, respectively. Thus, v(x) 
is not divisible by any degree 3 irreducible polynomials over GF(2). Now, 
x"* + x^ + x^ + X +1, x"* + x^ +1, and x"* + x +1 are the only degree 4 irreducible 
polynomials over GF(2), and the remainders are x^+x^, x^+x^, and x^+x^+1, 
respectively, when v(x) is divided by each of the polynomials. There is no need to check 
any other degrees. For example, if v(x) was divisible by a degree 5 polynomial, then it 
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must be divisible by a degree 3 polynomial. Therefore, v(x) eannot be faetored and is 
irredueible. So, GF{2)/ (v{x)) is a field of order 2^ and is isomorphie to GF(2^). 

7, Conjugates 

Let P be an element of GVijF). The conjugates of P with respeet to GF(/7) are 

2 3 

P,P'’,P^ ,P’’ The set of eonjugates of P form the conjugacy class of P. 

Theorem 12: The eonjugaey elass of P in G¥{p^) eontains d elements, where d is 
the smallest integer sueh that P’’ = P . 

For example, eonsider GF(2^) and let a 1 be a nonzero element in GF(2^). The 

2 2 2 ^ 4 2 ^ 1 2 4 

eonjugaey elass of a is {a,(a) =a ,(a) =a ,(a) =a} = {«,«,«}. The 
eonjugaey elass of 0 is {0} and the eonjugaey elass of 1 is {1}. 

Theorem 13: Lety(x) be a primitive polynomial over a field, and let « be a root 
of fix). Then, the roots of^-^) are exaetly the conjugates of a . 

Theorem 14: If elements are in the same conjugacy class, then they have the same 

order. 

B, LINEAR FEEDBACK SHIFT REGISTERS (LFSR) 

Linear feedback shift registers are an important tool that can be used to build the 
fields GF(2”). Golomb’s Shift Register Sequences [5] is a good reference for linear 
feedback shift registers. Fellin’s Primitive Shift Registers [6] is also a good quick 
introduction. 

1. An Overview of LFSR’s 

A binary shift register of span n is a set of n storage elements, each holding either 
a 0 or a 1. The content of the n storage elements is the state of the register at a particular 
time. A feedback function is also associated with the shift register. When a new bit is 
needed, each bit in the register at a particular time is shifted in the direction of the 
increasing index at the next time until the feedback function determines the bit in the 
lowest-order element. Let Si be the contents of the ith storage element at a particular time 
for a shift register with n storage elements. In general, if the feedback function at time t is 
/(5o,...,Vi) = +... + c„_ 2 V 2 +G- 1 V 1 = ■^o atimet+ 1 for c. e{0,l} where addition 
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is performed modulo 2, then the shift register is a linear feedback shift register (because 
5o is a linear function of the other 5,’s). The output tap is Sn-\- The shift register is 
completely dependent on its previous state and the feedback function. So, once the state 
returns to its initial state, we know exactly what the sequence of next states of the register 
will be. The period of a shift register is the length of the output sequence before the 
sequence starts to repeat. 

Theorem 15: The period is at most 2" -1 where n is the number of registers in the 
LFSR since the all 0 state cannot appear on a cycle which includes Is. 

Note that if the register is initialized with s. = 0 for all i, the output sequence 

would be 00000... . 

2, Galois Shift Register 

An example of a LFSR is the Galois shift register. Instead of the general feedback 
function described above, the contents of the storage elements are XOR’ed together 
based on the design of the particular Galois shift register [7]. This design is explained in 
the section below. 



If we initialize the contents of the storage elements with 0 1, the states of the 
Galois shift register are: 
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^1 

^0 

time 0 

0 

1 

time 1 

1 

0 

time 2 

1 

1 

time 3 

0 

1 


Table 4. States of the Galois Shift Register 
and are calculated by the following rules: 

new 5o = 1 ‘old^i 

new Si = old 5i + old so (modulo 2) 


The output sequence of this shift register is 011011011... .Galois shift registers 
are very useful for creating fields since there exists a mapping of a state to the nonzero 
elements of a field. 

3, Polynomial Associated with LFSR 

By definition, the characteristic polynomial of the sequence of bits that make up 
the contents of the n registers at time t and of the shift register itself is 

n-\ 

fix )= X”+ ^c,x' , where the c/’s are the feedback function coefficients. This 

i=0 

polynomial generates the LFSR. Consider the polynomial g(x) = 

x" +v„_jx" ' + ^ + ... + VjX + Vo. Then, the Galois shift register it generates is below. 



Figure 3. 


Generic Galois Shift Register 
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4, How Galois LFSRs Can be Used to Build Fields 

We can build all of the nonzero elements of a field with Galois shift registers. For 
example, recall the primitive polynomial /(x) = + x + l over GF(2). Let a be one root 

oif{x) in the field GF{2^) = GF{2)/(^f{x)'j. Each element of GF(2^) can be written as 

s»a' +t»a^ for s and t in GF(2). So there will be 2 storage elements in the shift register. 
One storage element holds the coefficient of a and the other holds the coefficient of 
Next, we determine how^^) affects the feedback, which is the coefficient of a . But 
= a+ \ in this field. So, the feedback goes to the registers that hold the coefficients of 
the a and a° terms, i.e., and 5°, respectively. 



Figure 4. Galois Shift Register Generated by /(x) = x^ + x +1 

Each subsequent step of the shift register is equivalent to multiplying the element 
of the field (which is equivalent to the current state of the shift register) by a and then 
reducing that result modulo This occurs because shifting the contents of the registers 
is equivalent to multiplication by a and XOR’ing the coefficients is equivalent to 
reducing modulo 2. 

To see this, look at the table of states for the shift register generated hyj{x) below. 



power of a 

contents of registers 

equivalent polynomial in a 

time 0 

0 

a 

0 1 

0*a+ 1*1 = 1 

time 1 

1 

a 

1 0 

l*a + 0*1 = a 

time 2 

2 

a 

1 1 

l*a + 1*1 = a + 1 


Table 5. Contents of Galois Shift Register and Equivalent Eield Elements 
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Note that the state of the register at time 2 verities the relationship =a + \, 
which is equivalent to the fact that a is a root of the polynomial/(x). 

Now, we used primitive polynomials to build the shift register, but we could have 
just as easily used an irreducible polynomial that was not primitive to build the shift 
register. However, a root of an imprimitive polynomial is not primitive, and therefore the 
powers of the root will not exhaust all the nonzero elements of the field. Since the result 
of each step of the register is equivalent to multiplying the current element by the root of 
the imprimitive polynomial used to build the shift register, the states of the shift register 
will not result in all of the nonzero elements of the field appearing. All the nonzero 
elements of the field appearing are equivalent to all the different states of a Galois shift 
register appearing. This happens only if the polynomial used to create the register is 
primitive. 

For example, consider the polynomial h{x) = x^ +x + b^ over GF(2'^) = 

Now, h{x) has no roots in GF(2\ 

so it is irreducible. The Galois shift register generated by h{x) is below. 





Figure 5. Galois Shift Register Generated by x^ +x + b^ 

If we initialize the contents of the storage elements with 0 1, the states of the 
Galois shift register are; 


17 












^1 

^0 

time 0 

0 

1 

time 1 

1 

0 

time 2 

1 

b^ 

time 3 

b^^ 

b^ 

time 85 

0 

1 


Table 6. States of the Galois Shift Register Generated by +x + b^ 
and are ealeulated by the following rules: 

new sq = b ‘old 

new = old + old so (modulo 2) 

Sinee the period of this shift register is 85, the polynomial h{x) = x^+x + b^ is 
irredueible but not primitive over GF(2"^). 
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III. MATH TOOLS 


In order to gather data about primitive polynomials of the form +x +a', we 
wrote two programs. One program, written in Mathematiea, used the Standard Algorithm 
for Galois shift registers explained in Chapter II. Because computations are done in the 
field using built-in functions as well as a special library [8], the program runs slowly. As 
a result, we took a new approach and looked at the Exponential Algorithm for building 
fields with Galois shift registers. We programmed this new approach in C++. However, 
the Exponential Algorithm requires the Galois shift register table for every previous 
extension field. So, this C++ program needs a lot of memory, and it does not take long 
for a typical 32-bit x86 based machine to be insufficient. On the other hand, the C++ 
program is far superior to the Mathematiea program in terms of its runtime. 

A. MATHEMATICA PROGRAM INSIGHTS 

In order to determine whether or not polynomials of the form x^ +x + a‘ are 
primitive over a given field and also to determine which power of the current primitive 
root is equal to previous primitive roots, we programmed a Galois shift register in 
Mathematiea. When this particular shift register is run, addition and multiplication of the 
elements in the field are still being performed. So, for the Standard Algorithm for the 
Galois shift register as described in Chapter II and above, we still need computational 
algebra software. With the help of a Galois theory library for Mathematiea [8], the 
algorithm is simple. Also, we minimized the work that the program did via the 
procedures explained below. The output of the program is just the states of the shift 
register, and an example is in Appendix A. 

1. Existence of Irreducible Polynomials 

The first step to finding primitive polynomials of the form x^ +x + a‘ for some 
primitive element a in GP(2”) and some positive integer i over a particular field GP(2”) 
is to find irreducible polynomials of that form. So, we minimized the work that the 
program did by ignoring reducible polynomials of the form + x + a' over each field. 


19 



We can determine if irreducible polynomials of the form + x + a‘ exist over a 
particular field by using a counting argument. However, since we know the total number 
of polynomials of the form x^ + x + a‘, we can also find the number of reducible 
polynomials of that form and then subtract. 

For example, consider polynomials over GF(2^). We know all degree 2 monic 
polynomials over the field are of the form x +ax + b where a and b are in GF(2 ). Since 
there are four choices for each of a and b, that leaves us with 16 different monic degree 2 
polynomials over the field. Now, we need to determine which ones are irreducible and 
which ones are reducible. Suppose that x^ + ax+ b is reducible. Then the polynomial 
factors into two degree 1 terms. In other words, x^ + ax+ b= (x + s){x +1) for some 5 and 
t in GF(2 ). We know all the possible values for 5 and t, so we can create a table of all the 
possible products of (x + s) and (x + t) . 


s 

* 

0 

1 

a 



0 

2 

X 

2 , 

X +x 

x^ +ax 

x^ 

+ a^x 

t 1 

2 , 

X +x 

x^ +1 

x^ +a^x + a 

x^ 

+ «x + a^ 

a 

x^ +«x 

x^ +«^x + « 

2 2 

X +« 

x^ 

+ X +1 


2 2 

X +a X 

X +ax + a^ 

X^ + X + 1 

x^ 

+ a 


Table 7. Multiplication Table of All Possible Products of (x + 5 ) and (x + t). 

After taking all of the possible products of (x + 5 ) and (x + t), there are only 10 
different monic degree 2 polynomials. So, x^, x^+x, x^+1, x^+«x, x^+«^x + «, 
x^ +a^, x^ + a^x , x^ + ax+ a^ , x^ + x + 1 , and x^ + a are the only polynomials that can 
be factored into (x + s')(x + t) for some 5 and t in GF(2^). This means that there are 16 - 
10 = 6 monic degree 2 polynomials that cannot be factored. In other words, they are 
irreducible. 
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2. Irreducible Polynomials over a Field 

If we look at the problem from a different angle, we ean program the seareh for 
redueible polynomials. Suppose= x^+x + a‘ is redueible and that and are 
roots. Then, y(x) = x^+x + a' = (x +a^)(x +a'‘) = x^ +(a^ +a'‘)x + a^^^. This only 
happens if a' + a'' = \. Onee we find a pair (/, k) for whieh relationship holds, we know 
that the polynomial + is redueible. Thus, we do not need to run the shift 

register generated by the polynomial to test if it is primitive. 

3. Testing One Root Per Conjugacy Class 

We know that elements in the same eonjugaey elass have the same order. So, if 
x^+x + a' is a primitive polynomial over GF(2"), then so is x^+x + («')^ for every 

-yk 

(a‘) in the eonjugaey elass of a' . Therefore, we only need to run the shift register 
generated by x^ + x + a' to determine the periods of the polynomials whose eonstant 
eoeffieients are in the eonjugaey elass of a‘. 

4 . Mathematica Program Pseudocode 

For example, the pseudoeode for the Mathematiea Program that builds GF(2'^) is 
below and the aetual eode is in Appendix B. 


Pseudoeode for building GF(2^16): 
set direetory to look for finite field library 
deelare the field extension GF(2) 
deelare the field extension GF(2^2) 
declare the field extension GF(2^4) 
declare the field extension GF(2^8) 

open the outfile 
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set the variables lowerField //name given to the seeond to last deelared 
extension field (GF(2^8) in this ease) 

set sizeOfField //size of the field we are building (65536 in this ease) 

set multiplier //multiplier in the shift register (aka eonstant term of the 

primitive polynomial used to ereate GF(2^16)) 

set newX to 0 //left box of the shift register 

set oldX to 0 //temp storage for left box of the shift register 

set newY to 1 //right box of the shift register 

set oldY to 1 //temp storage for the right box of the shift register 

write eontents of shift register to outfile 

for(n=l, n <= sizeOfField-2, n++) //ereate all elements of the new field 
exeept 0 and 1 
{ 

newX = oldX + oldY 
newY = oldX * multiplier 

use library to simplify newX and newY in the lower field (GF(2^8)) 
set oldX to newX 
set oldY to newY 

write eontents of shift register to outlile 

if the eontents of the shift register are the element 1, then stop loop early 

} 


elose outfde 


B, EXPONENTIAL ALGORITHM FOR GALOIS SHIFT REGISTER 

The Mathematiea program must be told whieh degree 2 polynomials are used to 
build the fields previous to the eurrent field and does not use the previous shift register 
results. This takes a lot of proeessing time and requires a eonsiderable amount of input 
from the user. However, there is another algorithm that uses Galois shift registers to build 
extension fields—^we eall the Exponential Algorithm [9]. This algorithm does not need 
eomputational algebra software and ean be programmed in C++. 

1, Exponential Algorithm Overview 

Let a be a primitive element in GF(2”). Suppose f(x) = +x + a^ is a primitive 
polynomial over GF(2”). Then, use fix) to generate the Galois shift register. In the 
Standard Algorithm, the eontents of the shift register will be elements of GF(2”), and 
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therefore ean be represented as either a‘ for some i or as 0. In the Exponential 
Algorithm, the elements of the shift register will still represent a‘ or 0, but will be 
represented by just the exponent / or *, respeetively. (0 eannot represent the number zero 
beeause 0 in this case represents = 1.) Also in the Exponential Algorithm, the 
operations of the shift register are modified but the result remains the same. Eor example, 
instead of new SQ=a^» old , we have new = j + old (where the contents of 5o and 
denote some exponent of a‘). This follow since multiplication of two numbers with 
the same base is accomplished by simply adding exponents. Also, since 0»a‘ = 0, * + / is 
defined to be *. Eiguring out new is a little trickier. In the Standard Algorithm, the 
equation is new = old + old (mod 2) . However, in the Exponential Algorithm, 

new = old © old where © is a new operator and is related to the addition (mod 2) 
operation from the Standard Algorithm. By definition, *©z is equal to i for any 
0 < z < 2" - 2 since z represents powers of the primitive element a in GE(2”). Intuitively, 
this has to do with the fact that 0 + a'=a'. Along these lines, z©z = * since 
a‘ +a‘ =0 (mod2). And *©* = * since 0 + 0 = 0. However, for z and k not equal to 
each other and for neither z nor k equal to *, determining i@k requires information from 
the previously defined finite field. Note that if a is a primitive element of GE(2”), then 

for a' in GE(2”) = {0,a°,a',...,a^ , it must be the case that 0 < z < 2" -2. So, z is an 

element of the additive group ^. 

2. Exponential Algorithm—the © Operator 

In more formal terms, to determine s@t when using a shift register to build the 
nonzero elements of GE(2^”): 

1. If 5 = t, the result is *. 

2. If 5 = *, the result is t. 

3. If t = *, the result is 5. 

4. At this point, both s and t are in , s^t, and neither s nor t are equal 
to *. 

i. Retrieve the 2 rows that represent a' and a' in the Galois shift 
register table that has the representations of all nonzero elements of 
GE(2”). 
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ii. Do the © operation eomponent-wise on the 2 rows (i.e., the 
polynomial representations of and a‘). (In other words, return 
to Step 1 for each pair.) 

iii. This results in a new row that represents for some u in ^. 
Return this result u. 

3, Exponential Algorithm—^An Example 

Some rules of the operations + and © to remember are: 


* © / = / z © z = * * + i = * 


Also, the rules of the shift register for the Exponential Algorithm are: 


new Sq= j + old 

new = old © old Sq (modulo 2”) 
when the field being built is GF(2^"). 


For example, use the primitive polynomials^) = + x + l over GF(2) to build 

2 2 
GF(2 ). Fet a be a root of J[x) and an element of GF(2 ). The Galois shift register 

generated byS-*) in the Standard Algorithm is: 


Figure 6. 



Galois Shift Register for Standard Algorithm Generated byS^) 


But in the Exponential Algorithm, the register is: 
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Figure 7. 



Galois Shift Register for Exponential Algorithm Generated hyj{x) 

(Recall that 1 = a”.) Initialize the register created for the Exponential Algorithm 
with a°, which is denoted by * 0 in the shift register table. (Recall that = 0»a + a°»l. 
And the number 0 is denoted by * and a° is denoted by 0.) 

Then, after the first step of the register, 

new 5o = 0 + old = 0 + * = * 
new = old © old 5^ = * © 0 = 0. 

After the second step, 

new= 0 + olds'j (mod2') = 0 + 0 = 0 
new 5; = old 5; © old 5^ = 0 © * = 0. 

After the third step, 

new = 0 + old Sy (mod 2') = 0 + 0 = 0 
new = old © old = 0 © 0 = *. 

The resulting Galois shift register table for GE(2 ) is: 



a 

1 



0 


0 


a 

0 

0 


Table 8. Nonzero Elements of GE(2^) Created with Galois Shift Register and 

Exponential Algorithm 
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2 2 

Next, consider the polynomial g(x) = x +x + a over GF(2 ). We saw g(x) is 
primitive and that we can use it to build GF(2"^). Let h be a root of g(x) and an element of 
GF(2'^). The shift register that g(x) generates for the Exponential Algorithm is: 


■<? 


Figure 8. 


Galois Shift Register for Exponential Algorithm Generated by g(x) 


After initializing the shift register with * 0, the first 3 rows of the shift register 
table are: 



b 1 

6 ° 

* 0 


0 * 


0 1 

b^ 



Table 9. Eirst Three Rows of Galois Shift Register Table for GE(2'*) 

Then after the third step of the shift register, 

new ^ 0=1 + old s'; (mod 2^) = 1 + 0 = 1 
new = old © old 5^ = 0 © 1 = ? 

In order to determine the result of 0 © 1, we need to retrieve the rows of the 
previous shift register table that represent and a\ These are * 0 and 0 *, respectively. 

Next, we do the © operation on the rows, component-wise. 
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the first component of the row representing 
© the first component of the row representing a 

is *©0 = 0. This will be the first component of the row we look for after doing the © 
operation on the second components of the above rows. 

the second component of the row representing 
© the second component of the row representing a' 

is 0 © * = 0 . 

Thus, we look for the row whose components are 0 0 in the shift register table for 

2 2 

GF(2 ). The row representing a has components 0 0. So, return the result 2. Therefore, 
after the third step of the shift register generated by g(x), we have 2 1. 

The shift register continues to be stepped until the shift register table is complete. 

The Exponential Algorithm can still be used with irreducible polynomials that are 
not primitive. However, the shift register then will only create a portion of the set of 
nonzero elements of the extension field. 



b 1 


* 0 


0 * 

b^ 

0 1 

b^ 

2 1 

b^ 

0 0 

b^ 

* 1 

b^ 

1 * 

b^ 

1 2 

b^ 

0 2 
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b 1 


1 1 


* 2 


2 * 


2 0 

b^^ 

1 0 

b^^ 

2 2 


Table 10. Nonzero Elements of GF(2"^) ereated with Galois Shift Register and 

Exponential Algorithm 

C. C++ PROGRAM INSIGHTS 

Unlike the Mathematiea program, the C++ program uses the Exponential 
Algorithm to build fields using Galois shift registers. So, the C++ program does not need 
to do eomputations in the fields and runs mueh faster. For example, data was gathered on 
these extension fields and the positions of previous primitive roots within those fields 
with the Mathematiea program over the eourse of 6 months. With the C++ program, we 
are able to gather about 8 times as mueh data in less than 4 minutes. However, the C++ 
program requires information from the previous extension fields, and uses more memory 
than the Mathematiea program. 

Another differenee between the C++ program and the Mathematiea program is the 
way irredueible polynomials of the form + x + «^ are found. In the C++ program, we 
use the traee of the element to find irredueible polynomials of the form + x + «^ 
instead of the method used in the Mathematiea program. The traee of an element and this 
method is explained in the seetion below. 

For the Mathematiea program, the only way to determine if the irredueible 
polynomial is primitive is to see if the shift register generated by it has the maximal 
period. If it does not, then the polynomial is not primitive. The C++ program uses 
Theorem 3 from the Results Chapter to quiekly determine if an irredueible polynomial of 
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the form +x + a^ is primitive. If it is primitive, then the shift register generated by the 
polynomial is run using the Exponential Algorithm. 

The output of the C++ program is a text file listing the degree 2 polynomials used 
to build the fields up to a partieular field as well as the power of the primitive root (of the 
eurrent field) that is equal to the primitive roots used to generate the previous extension 
fields. An example is in Appendix C. Onee the memory problem beeomes too great to 
build a partieular field GF(2^”), the program is still able to print out whieh polynomials of 
the form x^ +x + a^ are primitive over GF(2”) sinee only information about fields GF(2”) 
and smaller are needed to determine that. 

1, Trace 

We ean use the traee of an element of a field GF(2”) to determine if the 
polynomial x^ +x + is irredueible over that field. The trace is defined to be the sum of 
the eonjugates of an element of a field. In the Exponential Algorithm for Galois shift 
registers, we define the traee speeifieally as the © operation performed on all of the shift 
register table representations of the eonjugates of [9]. If the traee is * * (e.g., the 
equivalent of the number “zero” in the field), then the polynomial x^+x + a^ is 
redueible. However, if the result is * 0 (e.g., the equivalent of the number “one” in the 
field), then the polynomial x^ +x + a^ is irredueible. 

2 4 

For example, eonsider the polynomial x +x + b over the field GF(2 ) where b is 
a primitive element of GF(2"^). We want to determine if the polynomial is irredueible over 
this field. The traee of b^ is h' +h^ +h'' +h*. So, we retrieve the eorresponding rows from 
Table 3 above and get the equation; 

0 * 

0 1 
00 

© 02 
* * 

The result is * *, so the polynomial is redueible over GF(2"^). 
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Now consider the polynomial x^+x + h^ over GF(2"^). The traee of is 
. Retrieving the appropriate rows from Table 3, we get the equation; 

1 2 
22 
1 0 
© 2 * 

* 0 

The result is * 0, so the polynomial is irreducible over GF(2"^). 

2, C++ Program Pseudocode 

The pseudoeode for the C++ Program that iteratively builds the fields GF(2"^) up 
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to GF(2 ) is below and the aetual eode is in Appendix D. 


Define a galois table structure that will hold info about each extension 
field built. This strueture will include the Galois shift register table. 

Define the variable STAR to be the largest unsigned integer the epu ean 
handle. 

Initialize the register (which is just 2 integers) to STAR 0. 

Start with a primitive polynomial of the form x^+x + a^ over the field 
GF(2"^) (since we know the only two ehoiees). 

Loop until GF(2^^): 

{ 

Loop until out of primitive polynomials for the field: 

{ 

Build the shift register table for the next extension field 
using the Exponential Algorithm and the next primitive polynomial in the 
list. 

When you see the previous primitive root during this 
proeedure (looks like 0 STAR in the shift register table), note the power of 
the eurrent primitive root it is equal to. 

Determine which polynomials of the form x^+x + «^ are 
irreducible over the current field by using the traee of the constant 
coefficient. 

Use Theorem 2 from the Results Chapter to make a list of 
whieh of those irreducible polynomials are primitive. 

} 

} 
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IV. RESULTS 


The results of this work inelude two programs, charts detailing the extension 
fields and primitive roots, as well as some insight into the field that AES S-box 
computations are computed over. 

A. CHARTS 

The charts in Appendix E are a visualization of the location of previous primitive 
roots in extension fields from GE(2 ) to GE(2 ). Each box represents a separate 
extension field. Within each box is listed the polynomial used to create that extension and 
the power of the root of that polynomial which is equal to each root of the polynomials 
used to create each of the previous extension fields. 

The polynomialy(x) =x^ +x + l is irreducible over GE(2). Eet a be a root of that 
polynomial. Use the polynomial to create the field GE(2 ) = {0,l,a,a + l}. As shown in 

Chapter II, x^+x + a is irreducible over GE(2^). Eet b be the root of x^ +x +a. We 
create the field GE(2 ) with the primitive polynomial x +x + a over GE(2 ). In this case, 
a is our only previous primitive root, so we note which power of b is equal to the root a 
in the box {b^ =a). 

Note that the vertical lines extending from box to box designate which fields the 
extension fields are built upon. Also, boxes that use the same color indicate that the 
constant coefficients of the primitive polynomials used to build those fields are in the 
same conjugacy class. The field extensions that the primitive polynomials are used to 
create are indicated in the left margin. 

B, THEOREMS 

We restrict the choice of polynomial to build the extension field to be of the form 
x^+x + a' or x^+a'x + 1, as indicated in Chapter I. The AES polynomial is 
X* + + X +1, and the field it creates cannot be realized as an extension field if we 

only use polynomials of the above forms. 

Theorem 1; The field that the AES S-Boxes are implemented in cannot be built 
with degree two extensions of the form x^ + x + a' or x^ + a'x +1 . 


31 



Proof: 

The AES polynomial, +x^ +x’ +x + \, is not primitive, of period 51. The only 
polynomial which is primitive of degree 2 over GF(2) to create GF(2 ) is x + x +1, as we 
showed in Chapter IT Then the only polynomial we can use to create GF(2"^) of our form 
is x^ +X +a where a is a root of x^ + x + 1. (Any other choice of polynomial is 

o 

isomorphic to this choice.) To create a field of 2 elements we have a choice of 
x+x + Z) orx+x + Z), where is a root of x + x + a. However, x + x + 6 is 
irreducible but of period 85. (This can be shown with Conway’s method [2].) So, it is not 
primitive. The conjugates of — yield the same results, as we discussed in 

Chapter II. Choosing x^ + x + Z>’ results in a primitive polynomial of period 255 as do the 
conjugates of b^ —. All other choices of the polynomial x^+x + b' are 
reducible for / = 0, 1,2, 4, 5, 8, and 10. 

Next, consider using polynomials of the formx +Z>'x + 1 to build the field GF(2 ) 
from GF(2"^) where b is an element of GF(2"^). The polynomial is only irreducible when 
z = 1 or z = 3. In each case, the polynomial is not primitive, with period 17. Therefore, 
the degree 2 polynomial that builds the exact same field as the AES polynomial must be 
of the form x^ + b‘x + b^ with neither b‘ =\ nor Zz^ = 1. □ 

Incidentally, one can use Magma to show that x* + x"* + x^ + x +1 builds the same 
exact field—GF(2*) —from GF(2) as x^ +Zzx + Zz^ will build from GF(2"^). An example of 
the Magma commands [10] used to show this is below. 


k := GF(256); 

P<x> := PolynomialRing(k); 
a := Roots(x^2+x+l)[l][l]; 
b := Roots(x^2+x+a)[l][l]; 
c := Roots(x^2+b*x+b^5)[l][l]; 
aes := Roots(x^8+xM+x^3+x+l); 
c in [r[l] ; r in aes}; 

S51 := [i; i ink | C51 eq 1]; 
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Note further that x* + x® + +1 builds the same field as x^ + x + . 


One of the first things we want to determine is if a polynomial of the form 
x^ + X + a' is primitive over a particular field. It turns out that in creating the field with 
the Galois shift register using the exponent algorithm, a pattern emerges from the 
elements of the table. This pattern is directly related to the coefficients of the polynomial. 
We can use this pattern to determine the period of the polynomial without running the 
whole shift register. In fact, if a polynomial is of the form x^ +a‘x + a^ , we do not need 
to run the shift register at all. 

For example, we use x^ + x +1 to build GF(2^). Let a be a root of x^ + x +1. Then 
+ a + 1 = 0 . Recall that in the table of nonzero field elements, * refers to the number 
zero and the integers refer to the power of 1 (a primitive element in the field GF(2 ') = 
GF(2)). For example, 0 in the table represents 1° = 1. Also, the rows represent linear 
combinations of a and 1. For instance, * 0 in the row represents 0»a + l°»l = l. This 
makes sense because = 1. For our table of nonzero field elements, we then get; 



a 

1 

0 

a 


0 

1 

a 

0 

* 

2 

a 

0 

0 


2 

Table 11. Nonzero Elements of GF(2 ) created with Galois Shift Register 

The tables of nonzero field elements created with Galois Shift registers are explained in 
Chapter II. 

2 4 2 

Now, use X +x + a to build GF(2 ) as an extension of GF(2 ). Let h be a root 
ofx^ +x + a . Then +b + a = 0. Since a is the primitive element in the field that we 
built GF(2"^) from, the integers in the table refer to powers of a. For example, 0 in the 
table really represents = 1, 1 represents = a, and 2 represents a^(= a +1) . As in the 
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other tables, * refers to the number zero. Also, the rows represent linear combinations of 
b and 1. For instance, * 0 in the row represents 0»h + a°»l = l. This makes sense 
because = 1. The table of nonzero field elements looks like: 



b 1 


* 0 

h' 

0 * 

b^ 

0 1 

b^ 

2 1 

b^ 

0 0 

b^ 

* 1 

b^ 

1 * 

b^ 

1 2 

b^ 

0 2 

b^ 

1 1 


* 2 

b^^ 

2 * 

b^^ 

2 0 

b^^ 

1 0 

b^^ 

2 2 


Table 12. Nonzero Elements of GF(2"^) created with Galois Shift Register 

Note that a pattern can be observed across the rows when we cut the table into 
sections. For instance, to get from b^ to b^ to one only needs to add 1 1 to the entries 
in the table, i.e., we multiply by b^ by adding the powers. 
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b 

1 


b 

1 


b 

1 


* 

0 

b^ 

* 

1 


* 

2 

b^ 

0 


b^ 

1 

H= 


2 


b^ 

0 

1 

b^ 

1 

2 

b^^ 

2 

0 

b^ 

2 

1 

b^ 

0 

2 

b^^ 

1 

0 

b^ 

0 

0 

b^ 

1 

1 

b^^ 

2 

2 


Table 13. Rearranged Nonzero Elements of GF(2"^) Created with Galois Shift Register 


In general, we are building extension fields using degree 2 polynomials, i.e., 
quadratie extensions. If we let (3 be one root of the irredueible polynomial 

/(x) = x^ +a‘x + a^ over GF(2”), we know there is only one other root. Call this other 
root Then, /(x) = (x + y0)(x + y0*) = x^+(y0 + y0^)x + y0*^'. Therefore, = «^ and 
P-v = a'. If we assume we are building the fields using the exponential algorithm 
explained in Chapter III, this means that the row representing (3^ will look like 0 0. 


Interestingly, it turns out the root [3^ is aetually as shown in the following 

lemma. 

Femma 1: Fet /(x) = x^+ax + c be irreducible over GF(2”). Fet y0 be a root. 
Then the other root ofX-^) is y9^ [3]. 

Proof: 


[/(x)] =[x^+ax + cj 
= (^x^^ +{^axf 


+ since all cross terms are even and are = 0 mod 2 


2 . 2 " , 2 " 2 " , 2 " 

= x +a X +c 

= x^'^ + ax^ + c since all the elements of the field GF(2”) satisfy =b 


= x^ + ax^ +c = 


^x^ j +a^x^ j + c = /^x^ j 
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Since /(y9) = 0, we get j = 0 . So, is also a root ofy(-^). □ 

Note that in GF(2^”), so [3^ is distinct from [3 in GF(2^”) if n > 0 . 

Therefore, if we let /(x) = x^ + a‘x + be an irredueible polynomial over 

GF(2”) and be a root, then (3^ is also a root oij{x). Note that we will use^-^) to build 
GF(2^”) if this polynomial is also primitive. 

Theorem 2: The order of an irreducible polynomial /(x) = x^ + a'x + over 

GF(2”) is equal to the order of the element j in the additive group ^ • 

Proof: 

Recall from our comments above that = /3^ . So, (3^ is represented by * j 

in the shift register table. Since (3^^^=a\ ={a^f' So, the entry for 

p (2 + 1)2 -g ^ 2 j in the table. Similarly, the entry for is * kj (mod 2” - 1 because 

these numbers represent powers of a primitive element in GF(2") ). □ 

Theorem 3: If f{x) = x^+a'x + a^ is irreducible over GF(2”) and (3 in GF(2^”) 
is a root, then the other root, (3^ , is represented as 0 i in the Galois shift register table 
Proof: 

Since f3 and (3^ are roots of fx), fix) = (x + y9)(x + ) which equals 

x^ +{(3 + [3^ )x + /3^ So, a‘ = (3 + (3^ and = (3^ . Sinee a' = /3 + /3^ , then 

f3 =a‘ + (3 . We know fi is represented by 0 * in the Galois shift register table when 
using the exponent algorithm. So, 

P + a' = 0 * 

© *_J_. 

0 i 

Therefore, is represented as 0 i in the Galois shift register table. □ 
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Using the second program described in Chapter III, it is simple to determine 
which polynomials of the form +x +a' are primitive over GF(2^^) and can be used to 
build GF(2'’^). 

C. CONCLUSIONS 

The results of this work are the first steps towards a full understanding of the field 

g 

that AES computation occurs in—GF(2 ). The charts created with the data from the C++ 
program detail which power of the current primitive root is equal to previous primitive 
roots for fields up through GF(2^^) created by polynomials of the form x^ +x + a‘ for a 
primitive element a. Currently, the C++ program will also provide all the primitive 
polynomials of the form + x + «' for a primitive element a over the fields through 
GF(2 ). This work also led to a deeper understanding of certain elements of a field and 
their equivalent shift register state when using the Exponential Algorithm. In addition, 
given an irreducible polynomial /(x) = x^+«'x + «^ over GF(2”), the period (and 
therefore the primitivity) can be determined without running the shift register generated 
by/x). 
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V. FUTURE WORK 


There are still unanswered questions left to explore when it eomes to 
understanding the field—GF(2^)—that AES relies on. 

A, OTHER ALGORITHMS 

While being able to build the fields with shift registers and program this method 
saved a lot of time, we still ran into some stumbling bloeks. The Mathematica program 
using the Standard Algorithm did not need to store much in memory, but it took a long 
time to do its computations. On the other hand, the C++ program using the Exponential 
Algorithm needed a lot of memory but very little run time. Perhaps there is a different 
algorithm that is more in the middle of the resource spectrum—one that can build these 
fields quickly with shift registers but does not require as much memory as the 
Exponential Algorithm. Or maybe there is a better way to design the C++ program while 
still using the Exponential Algorithm. 

B, AES AND POLYNOMIALS OF THE FORM x" + x + «' 

In his paper [1], Canright explored building extensions fields with polynomials of 
the form x^ +«x + y0 over GE(2”) where a and {3 are elements of GE(2”) and where one 
of the a ox (3 (but not both) are equal to 1. With polynomials of this form, he is able to 
create an implementation of an S-box that is 16% smaller than the previous most efficient 
implementation. By modifying the implementation of AES using polynomials of the form 
+X +a' where a is a primitive element, can an implementation that is more efficient 
than Canright’s be found? 

In addition to determining if using polynomials of the form x^ + x + «' to build 

o 

GE(2 ) makes the AES implementation more efficient, there are also other questions 
regarding polynomials of the form x^+x + a' and AES. Eor example, would using 
polynomials of this form to implement AES have the adverse effect of weakening the 
AES algorithm in some way? 

The relationship between the roots of these polynomials, the constant coefficients 
of these polynomials, and the AES S-boxes needs more investigation. 
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C. MATHEMATICS AND POLYNOMIALS OF THE FORM x"+x + a‘ 

Besides asking questions regarding these polynomials and AES, there are also 
interesting mathematical questions. Specifically, is there a relationship among the powers 
of the primitive roots used to generate the coefficients of each polynomial x^ + x + a' that 
are, in turn, used to build the field extensions? Can we predict what polynomials will be 
primitive? Also, can one continue the field extensions forever using only polynomials of 
the form x^ +x +a' for some primitive element a? An argument can be made using 
counting ideas to indicate that this is probably possible. It would be very nice to be able 
to predict their form. 
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APPENDIX A. ONE PAGE OF MATHEMATICA PROGRAM 

OUTPUT EXAMPLE 


Appendix A is a one-page example of the output generated by the Mathematiea 
program in Appendix B. The output shows the power of the root of the polynomial that 
generates the shift register followed by the eontents of the storage elements of the shift 
register separated by a eomma. 


DO 0, 1 
D1 1,0 

D2 1, l + a + b+ (1 + a + ab) c 

D3 a + b+ (1 + a + ab) c, l + a + b+ (1 + a + ab) c 

D4 1, 1 + a + ab + bc 

D5 a + ab + bc, l + a + b+ (1 + a + ab) c 

D6 1 + (1 + a) b + (1 + a + (1 + a) b) c, 1 + a + b + (1 + a b) c 

D7 a + ab+(a + b)c, l + a + ab+(a + b)c 
D8 1, a + (1 + (1 + a) b) c 

D9 1 + a + (1 + (1 + a) b) c, 1 + a + b + (1 + a + ab) c 
DIO b + (a + b) c, a + c 

Dll a + b + (1 + a + b) c, a + (1 + a) b + (a + (1 + a) b) c 

D12 a b + (1 + a b) c, a b + (1 + a + (1 + a) b) c 

D13 (a + b) c, a + (1 + a) c 

D14 a + (1 + b) c, b + (1 + a b) c 

D15 a + b+ (1 + a) be, l + a + b+ (1 + a) be 

D16 1, e 

D17 1 + e, l + a + b+ (1 + a + ab) e 

D18 a + b+ (a + ab) e, ab + (1 + a + b) e 

D19 a + (1 + a) b + (1 + (1 + a) b) e, b + a b e 

D20 a+ab+ (1+b) e, be 

D21 a+ab+e, ab+ (1+b) e 

D22 a+be, 1+ab+abe 

D23 l+a+ab+ (1+a) be, ab 

D2 4 l + a+ (1 + a) be, a + be 

D2 5 1 + abe, 1+ (1 + a) b + (1+ (1 + a) b) e 

D2 6 (1 + a) b + (1+b) e, l+b + (1+ (1 + a) b) e 

D2 7 1 + ab + abe, l + a + ab + (l + a+ (1 + a) b) e 

D28 a+ (1+a+b) e, a+ab+be 

D29 ab+ (1+a) e, a+abe 

D30 a + ab + (1 + a + ab) e, 1+b + e 

D31 1 + a + (1 + a) b + (a + ab) e, a + (1 + a) b + (a + ab) e 

D32 1, (1 + a) b + (a + a b) e 

D33 1+ (1 + a) b + (a + ab) e, l + a + b+ (1 + a + ab) e 

D34 a + ab + e, l+b + (1 + a + b) e 

D35 l + a+ (1 + a) b + (a + b) e, 1 + ab + abe 

D36 a + b + (a + (1 + a) b) e, 1 + a + (1 + a) b + e 

D37 1 + a b + (1 + a + (1 + a) b) e, 1 + b + (1+b) e 

D38 (1 + a) b + (a + ab) e, 1 + e 

D39 1 + (1 + a) b + (1 + a + ab) e, a + (1 + a) be 

D40 l + a+ (1 + a) b + (1 + a + b) e, a + ab + (1 + a + ab) e 

D41 1 + b + (1 + a) b e, (1 + (1 + a) b) e 
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APPENDIX B. MATHEMATICA PROGRAM CODE 


Appendix B is the Mathematiea eode for ereating the elements of GF(2^^) using a 
Galois shift register generated by +x + for c in GF(2^). 


SetDireotory["C:\\Doouments and SettingsWjodyWDesktopWthesis"]; 
« AlgFields.txt 

(*ClearAll[fieldTable, irredTable];*) 

FDeelareF initeF ield[GF2,2]; 
FDeelareExtensionField[GF4,GF2,{a^2+a+l}]; 
FDeelareExtensionField[GF16, GE4, {b^2+b+a}]; 
EDeelareExtensionEield[GE256, GE16, {e^2+e+b^7}]; 
EDeelareExtensionEield[GE65536, GE256, {d^2+d+e^21}]; 

(*things you need to ehange eaeh time*) 

outEile = OpenWrite["GE65535poly21.txt"]; 

xtnEield = GE65536; 

lowerEield = GE256; 

sizeOfField = 65536; 

multiplier = e^21; 

newTerm = d; 

newX =0; 
oldX =0; 
newY =1; 
oldY=l; 


Print[newTerm, "0 ",newX,", ", newY]; 
WriteString[outEile,"DO ",newX,", ", newY, "\n"]; 

Eor[n=l, n<sizeOfField-2, n++, 
newX=oldX+oldY; 
newY = oldX * multiplier; 
newX = ESimplifyE[newX, lowerEield]; 
newY = ESimplifyE[newY, lowerEield]; 
oldX=newX; 
oldY=newY; 

(*Print[newTerm, n," ",newX,", ",newY];*) 
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WriteString[outFile, "D", n," ",newX,", ",newY, "\n"]; 

] 

Close[outFile]; 
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APPENDIX C. ONE PAGE OF C++ PROGRAM OUTPUT 

EXAMPLE 


Appendix C is a one-page example of the output generated by the C++ program in 
Appendix D. The output states the primitive polynomials used to build eaeh field up to 
that point and also whieh power of the eurrent primitive root is equal to previous 
primitive roots. For example, consider the polynomial x +x + a over GF(2 ) where a is 
an element of GF(2^). Suppose h is a root of the polynomial. Then, in GF(2"^), = a An 

the output of the program, this is worded as “position of root from degree 4 extension is: 
5”. 


STAR is ffffffff 
Building GF4.. 

building GF16 with x^2+x+a^l 

position of root from degree 4 extension is: 5 

GF4 built with x^2+x+l. GF16 built with x^2+x+a^l. GF256 built with 

x^2+x+b^7 

position of root from degree 8 extension is: 221 

position of root from degree 4 extension is: 85 

GF4 built with x^2+x+l. GF16 built with x^2+x+a^l. GF256 built with 

x^2+x+b^7. GF2tol6 built with x^2+x+c^ll. 

position of root from degree 16 extension is: 29812 

position of root from degree 8 extension is: 34952 

position of root from degree 4 extension is: 43690 

GF4 built with x^2+x+l. GF16 built with x^2+x+a^l. GF256 built with 

x^2+x+b^7. GF2tol6 built with x^2+x+c^22. 

position of root from degree 16 extension is: 14906 

position of root from degree 8 extension is: 17476 

position of root from degree 4 extension is: 21845 

GF4 built with x^2+x+l. GF16 built with x^2+x+a^l. GF256 built with 

x^2+x+b^7. GF2tol6 built with x^2+x+c^44. 

position of root from degree 16 extension is: 7453 

position of root from degree 8 extension is: 8738 

position of root from degree 4 extension is: 43690 

GF4 built with x^2+x+l. GF16 built with x^2+x+a^l. GF256 built with 

x^2+x+b^7. GF2tol6 built with x^2+x+c^88. 

position of root from degree 16 extension is: 36494 

position of root from degree 8 extension is: 4369 

position of root from degree 4 extension is: 21845 
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APPENDIX D. C++ PROGRAM CODE 


Appendix C contains the C++ program that builds fields using Galois shift 
registers with the Exponential Algorithm. It also is capable of finding primitive 
polynomials of the form +x +a' for a primitive element a over these fields. 


/*Jody Radowicz 
Masters Thesis, 2006 

This program iteratively goes through all of the extension fields over 
GF2 through GF(2^16) and prints out the primitive polynomials used to 
build the extensions as well as which power of the current root is 
equal to each previous root. It also reports which polynomials are 
reducible as well as the irreducible but imprimitive polynomials with 
their periods. 

***Note***: This program currently only ever considers polynomials of 
the form x^2+x+constant 
*/ 

#include <stdio.h> 

#include <stdlib.h> 

#include <sys/types.h> 

#include <limits.h> 

#include <math.h> 

#include <vector> 
using namespace std; 


typedef u_int32_t int_type; //a 
depending on the computer 
typedef vector<int type> NumVector; 
of the primitive polynomials of the 
field 


definition of the largest int, 

//holds the constant coefficients 
form x^2+x+root^i over the current 


typedef struct galois_table struct //struct that holds information 
about a particular field 
{ 

int_type **curr;//pointer to a pointer to the current field 
struct galois_table_struct *prev;//pointer to the struct that 

holds info about the field that the current field is extended from 

struct galois_table_struct *next;//pointer to the struct that 

holds info about the extension field built from this field 

int field size; //size of table that holds the possible contents 
of the shift register + 1, also happens to be the size of the field 
int extn degree;//degree of the extension field over GF2 
int prev field size;//size of previous extension field 
int type root position; //position in the table created with the 
Galois shift register of the root of the primitive poly used to create 
previous field (means new root^root position = old root) 

char root_name;//used to keep track of root name for printing 
purposes 

} galois_table; 
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int type STAR = UINT MAX;//STAR is a constant int that is treated 
differently when it comes to multiplication and addition. It actually 
represents the number zero while the other numbers all represent the 
exponent i on the number root^i when it comes to the contents of the 
shift registers 

int type curr left reg =STAR;//the left register of the Galois shift 
register 

int type old left reg = STAR;//a temp holder for the left register 

int type curr rt reg = 0;//the right register of the Galoid shift 

register 

int type old rt reg = 0;//a temp holder for the right register 

//declare one instance for each type of table since we will only need 

one table for each extension at a time 

galois_table GF4_table; 

galois_table GF16_table; 

galois_table GF256_table; 

galois_table GF2tol6_table; 

//galois_table GF2to32_table; 

int type sanity check num = 0; //number of bits of machine - 1, meant 
to avoid overflow when adding large numbers 

void print table (galois table t) ; //prints the table created from the 
Galois register, which holds the elements of the extension field whose 
galois_table struct gets passed to it 

void build extn field(galois table &t, int type multiplier);//builds 
the extension field, using a polynomial of the form 
x^2+x+root^multiplier 

void build table memory();//builds table memory 

NumVector coset_trace(galois_table table);//determines the trace of the 
constant coefficients of polynomials and returns a vector of primitive 
polynomials' constant coefficients with which to build the next 
extension field. The trace s used to determine if hte polynomial is 
reducible or not. 

int type check order(int type number, galois table table); //returns 
the order of number in the given Galois field. When passed a constant 
coefficient, we can determine if the corresponding irreducible 
polynomial is primitive or not by checking the coefficient's order in 
the previous Galois field. 

void calc_roots(galois_table table, int_type top_field_size, int_type 
prev_root pos, int_type times);//prints where all of the previous roots 
occur in a given field, top field size the is the size of the highest 
extension field, times is the degree of the highest extension field 
over GF2 and helps the function determine how many roots it needs to 
look for. 

int type high bit pos (int type number); //returns the number of the 
highest bit position (start counting with 0) 

//struct //used for command line arguments 

//{ 

// int_type size_of_field; 

//} global_cfg; 

void usage 0 //prints the form of the command used to run the program 

{ 
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printf("./iter fields \n"); 

} 

void parse args(int argc, char **argv) //parses command line arguments, 
if there are any 
{ 

if (argc != 1) 
usage(); 

// else 

// global_cfg.size_of_field = atoi(argv[1]); 

//--Sanity checking arguments 
// if (global cfg.size of_field != 16) 

// { 

// printf("parse args::Error! Size should be 16.\n"); 

// exit (0); 

// } 

// printf("Doing run with field size: %d\n", 

global cfg.size of field); 

} 

void dump regs(galois table table, int row) //puts the register 
contents into a particular field's table. Used when building the tables 
that hold the elements of a particular field. 

{ 

table.curr[row][0] = curr_left_reg; 
table.curr[row][1] = curr_rt_reg; 

} 

void reset_regs0//resets the registers to the starting state 

{ 

curr left reg = old_left reg = STAR; 
curr rt reg = old rt reg = 0; 

} 


void build table memory()//builds tables, makes sure there is enough 
memory. Fills in some of the galois table struct's elements that are 
common to a particular extension degree. Only done once at the 
beginning of the program. 

{ 


GF4 table.curr = 

GFl6_table.curr = 

GF256 table.curr = 
GF2tol6 table.curr = 
//GF2to32 table.curr = 


new int_type*[3]; 

new int_type*[15] ; 

new int_type*[255] ; 

new int_type*[65535] ; 

new int type*[4294967295] ; 


if ( (!GF4_table.curr) | | (!GFl6_table.curr) | t ( !GF256_table.curr) | | 

( !GF2tol6_table.curr) /* | | (!GF2to32_table.curr) */ ) 

{ 

fprintf(stderr, "Error allocating initial dimension of table 
memory. exiting\n"); 
exit(0); 

} 
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for (int i = 0; i < 3; i++) 

{ 

GF4_table.curr[i] = new int_type[2]; 
if (GF4 table.curr[i] == NULL) 

{ 

printf("Error allocating sub-array in GF4. 1 = %d 

exitingXn", 1); 

exit(0) ; 

} 

} 

GF4 table.field size = 4; 

GF4 table.extn_degree =2; 

GF4 table.prev field size=l; 

GF4 table.prev = NULL; 

GF4 table.next = &GF16 table; 

GF4 table.root name = 'a'; 

for (int 1 = 0; 1 < 15; i++) 

{ 

GFl6_table.curr[1] = new int_type[2]; 
if (GF16 table.curr[1] == NULL) 

{ 

printf("Error allocating sub-array in GF16. 1 = %d 

exitingXn", i); 

exit(0); 

} 

} 

GF16 table.field size = 16; 

GFl6 table.extn degree = 4; 

GF16 table.prev field size = 4; 

GF16 table.prev = &GF4 table; 

GF16 table.next = &GF256 table; 

GFl6 table.root name = 'b'; 

for (int i = 0; i < 255; i++) 

{ 

GF256_table.curr[i] = new int_type[2]; 
if (GF256 table.curr[i] == NULL) 

{ 

printf("Error allocating sub-array in GF256. i = %d 
exitingXn", i); 

exit(0); 

} 

} 

GF256 table.field size = 256; 

GF256_table.extn_degree =8; 

GF256 table.prev field_size = 16; 

GF256 table.prev = &GF16 table; 

GF256 table.next = &GF2tol6 table; 

GF256 table.root name = 'c'; 


for (int i = 0; i < 65535; i++) 

{ 

GF2tol6_table.curr[i] = new int_type[2]; 
if (GF2tol6 table.curr[i] == NULL) 
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{ 


printf("Error allocating sub-array in GF2tol6. i = %d 
exitingXn", i); 

exit(0) ; 

} 

} 

GF2tol6_table.field_size = 65536; 

GF2tol6 table.extn_degree = 16; 

GF2tol6 table.prev field size = 256; 

GF2tol6 table.prev = &GF256 table; 

// GF2tol6_table.next = &GF2to32_table; 

GF2tol6 table.next = NULL; 

GF2tol6_table.root name = 'd'; 

/*for (int 1=0; i < (pow(2, 32)-1); i++) 

{ 

GF2to32_table.curr[i] = new int_type[2]; 
if (GF2to32 table.curr[i] ==NULL) 

{ 

fprintf(stderr, "Error allocating sub-array in GF2to32. i = 
%d exitingXn", i); 

exit(0); 

} 

} 

GF2to32_table.field_size = (int) pow(2, 32); 

GF2to32 table.extn degree = 32; 

GF2to32 table.prev field size = 65536; 

GF2to32 table.prev = &GF2tol6 table; 

GF2to32 table.next = NULL; 

GF2to32 table.root name = 'e'; 

*/ 

//build GF4' s table. It is the same every time because there is 
only one primitive polynomial over GF2, x^2+x+l. 
printf("Building GF4..Xn"); 

GF4_table.curr[0][0] = STAR; 

GF4_table.curr[0][1] = 0; 

GF4_table.curr[1][0] = 0; 

GF4_table.curr[1][1] = STAR; 

GF4_table.curr[2][0] = 0; 

GF4 table.curr[2][1] = 0; 


} 

int main(int argc, char **argv) 

{ 

NumVector V;//vector that holds the constant coefficients of 
primitive polynomials over the current field 

NumVector::iterator my iter;//an iterator that runs through the 

vector 

parse_args(argc, argv); 

sanity check num = high bit pos(STAR);//sanity check num is used 
to make sure there are no overflows in the calculations 
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printfC'STAR is %x\n", STAR) ; 
build_table_memory(); 

//******* *do below when you want to follow one path down the field 
extensions 

printf("\nbuilding GF16 with x^2+x+%c^l", GF16 table.prev- 
>root_name); 

build_extn_field(GF16_table, 1) ; 

calc_roots(GF16_table, GF16_table.field_size, 1, 

GFl6_table.extn_degree); 

reset_regs (); 

printf("\nGF4 built with x^2+x+l. GF16 built with x^2+x+%c^l. 

GF256 built with x^2+x+%c^7", GF16 table.prev->root name, 

GF256 table.prev->root name); 

build_extn_field(GF256_table, 7); 

calc_roots(GF256_table, GF256_table.field_size, 1, 

GF256_table.extn_degree); 

reset_regs (); 

printf("\nGF4 built with x^2+x+l. GF16 built with x^2+x+%c^l. 

GF256 built with x^2+x+%c^7. Gf2tol6 build with x^2+x+%c^11.", 
GFl6_table.prev->root name, GF256 table.prev->root name, 

GF2tol6 table.prev->root name); 

build extn field(GF2tol6 table, 11); 

calc_roots(GF2tol6_table, GF2tol6_table.field_size, 1, 

GF2tol6_table.extn_degree); 


/* reset_regs(); 

printf("\nGF4 built with x^2+x+l. GF16 built with x^2+x+%c^l. 
GF256 built with x^2+x+%c^7. Gf2tol6 build with x^2+x+%c^ll. GF2to32 
built with x^2+x+%c^19.", GF16 table.prev->root name, GF256 table.prev- 
>root name, GF2tol6 table.prev->root name, GF2to32 table.prev- 

>root_name); 

build extn field(GF2to32 table, 19); 

calc roots(GF2to32 table, GF2to32 table.field size, 1, 

GF2to32_table.extn_degree); 

*/ 

//*******end straight run through fields 

//*******do below when you want to run through all of the fields 
iterively 
/* 

printf("\nbuilding GF16 with x^2+x+%c^2", GF16 table.prev- 

>root_name); 

build extn field(GF16 table, 2); 

// print_table(GF16_table); 

V = coset_trace(GF16_table); 

calc_roots(GF16_table, GF16_table.field_size, 1, 

GF16_table.extn_degree); 

my_iter = V.beginO; 
while (my iter != V.endO) 

{ 

reset_regs() ; 
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printf("\nGF4 built with x^2+x+l. GF16 built with 
x^2+x+%c^2. GF256 built with x^2+x+%c^%d", GF16 table.prev->root name, 

GF256 table.prev->root name, *my iter); 

build extn field(GF256 table, *my iter); 

NumVector newV; 

NumVector::iterator new iter; 

newV = coset_trace(GF256_table); 

calc_roots(GF256_table, GF256_table.field_size, 1, 

GF2 56_table.extn_degree) ; 

new iter = newV.begin(); 
while(new iter != newV.end()) 

{ 

reset_regs(); 

printf("\nGF4 built with x^2+x+l. GF16 built with 
x^2+x+%c^2. GF256 built with x^2+x+%c^%d. GF2tol6 built with 

x^2+x+%c^%d.", GF16 table.prev->root name, GF256 table.prev->root name, 
*my iter, GF2tol6 table.prev->root name, *new iter); 

// printf("\nGF2tol6 built with x^2+x+root^%d\n", 

*new_iter); 

build extn field(GF2tol6 table, *new iter); 
coset_trace(GF2tol6_table); 

calc_roots(GF2tol6_table, GF2tol6_table.field_size, 
1, GF2tol6_table.extn_degree) ; 

new iter++; 

}//end inner while 

my iter++; 

}//end while 

*/ 

//*********iterative run 


}//end main 

//circle add takes two elements that you want to circle add and the 
field that they are in and returns the results. 

int type circle add ( int type left, int type right, galois table 
curr field) 

{ 

int type first temp left, second temp left, result left, 

first temp rt, second temp rt, result rt; 

if (left==STAR) 

return right; 
else if (right==STAR) 
return left; 
else if (left==right) 
return STAR; 

else //neither have STAR as content and they arent equal 

{ 
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//fill temp regs 

first temp left = curr field.prev->curr[left][0]; 
first temp rt = curr_field.prev->curr[left][1]; 
second temp left = curr field.prev->curr[right][0]; 
second temp rt = curr field.prev->curr[right][1]; 

//circle add component wise, starting with left 
result left = circle add(first temp_left, second temp left, 
*(curr field.prev)) ; 

//circle add component wise, now with right 

result rt = circle add (first temp rt, second temp rt, 
*(curr field.prev)); 

//need to find row in the prev field where result left and 
result_rt are located 

for(int j = 0; j < (curr field.prev field size - 1); j++) 

{ 

if ((curr_field.prev->curr[j][0]==result_left) && 
(curr_field.prev->curr[j][1]==result_rt)) 

return j; 

}//end for 
}//end else 

}//end circle add 

//build extn field takes galois table struct and the constant 
coefficient of the primitive 

// polynomial that you want to build the field with and runs through 
the Galois shift 

//register in order to build the field. It puts each nonzero element in 
the table. 

void build extn field(galois_table Stable, int type multiplier) 


dump_regs(table, 0); 

for (int row = 1; row < table.field size - 1; row++) 

{ 

//printf("build etn field::%d\n", row); 
int first temp left, second temp left, 

result_left, first_temp rt, second_temp rt, 
result_rt; 

curr_left_reg = circle_add(old_left_reg, old_rt_reg, 

table) ; 


//now calculate curr_rt_reg 
if (old left reg == STAR) 
curr_rt_reg = STAR; 

else if((old left reg >= pow(2, sanity check num)) && 

(multiplier >=pow(2, sanity check num))) 

{ 

fprintf (stderr, "Numbers are out of range. Need more 
bits in the machine.\n"); 

exit(0); 
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} 


else 

curr rt reg = (old left reg + multiplier) % 
(table.prev field size - 1); 

//put contents of regs in table 
dump_regs(table, row); 

//update reg values 

old left reg = curr left reg; 

old rt reg = curr rt reg; 

//check for root position 

if((curr left reg == STAR) && (curr rt reg == 1)) 

//printf("found root at: %d\n", row); 
table.root position = row; 

// printf("root position is: %d\n", 

table.root_position); 

} 


}//end for 


} 

//coset trace goes through each constant coefficient to determine if 
x^2+x+constant is 

//irreducible or not by determining the trace of the constant. If the 
polynomial is irreducible, 

// it determines the order of the constant in the previous Galois field 
to see if it has full 

//order and therefore the polynomial is primitive. If the polynomial is 
primitive, then 

//coset trace determines the other elements of the coset and puts them 
all in a vector. 

//coset trace returns this vector in case you want to iteratively run 
through the fields. 

NumVector coset_trace(galois_table table) 

{ 

int_type ** trace_table; 
int_type * coset_array; 

trace_table = new int_type*[table.extn_degree];//trace_table 

holds a representation of each element in a coset that a particular 
constant coefficient also belongs to 

coset_array = new int_type[table.field_size - 1]; //coset_array 

holds all nonzero elements of a field and is used to keep track of 
whether or not x^2+x+element is irreducible and primitive 

int_type left_trace = 0;//left trace is the left part of the 
representation of each element in a coset, circle added together 

int type rt trace = 0;//right trace is the right part of the 
representation of each element in a coset, circle_added together 

int type order;//the order of a particular constant coefficient 
in the previous galois field 
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NumVector ret;//the vector that coset trace returns; holds the 
constant coefficients for each x^2+x+constant that is primitive over 
the current galois field 

//make sure there's enough memory for the tables 
if (!trace_table || !coset_array) 

{ 

printf("coset trace::Error allocating memory for trace tale 
or coset_array\n"); 

exit(0) ; 

} 

for (int i = 0; i < table.extn degree; i++) //NO subtracting from 
extn degree 
{ 

trace_table[i] = new int_type[2]; 
if (trace_table[i] == NULL) 

{ 

printf("Error allocating trace-table . i = %d 

exitingXn", i); 

exit(0) ; 

} 

} 

//initialize coset array 

for (int k = 0; k < table.field size - 1; k++) 
coset_array[k] = 0; 

//find next coset_rep, fill trace_table, print coset, 

//determine trace, print trace.. 

for (int j = 0; j < table.field_size - 1; j++) 

{ 

//printf("J:[%d/%d]\n ", j, table.field_size - 1); 
if (coset_array[j]==0)//coset_array[j]==0 means it hasn't 
been checked yet 
{ 

// printf("coset rep is: C%d\n", j); 

coset_array[j] =1;//coset_array[j]==1 means it has 

been checked for being irred/red 

trace_table[0] [0] = table.curr [ j] [0]; 
trace_table[0] [1] = table.curr[j][ 1]; 

//fill trace table 

for (int k = 1; k <table.extn degree; k++) 

{ 

//sanity check for bits 

if(high_bit_pos(j) + high_bit_pos((2<<(k-1))) 

>= sanity check num + 1) 

{ 

fprintf(stderr, "numbers of out range. 

Need more bits in the machine"); 

exit(0); 

} 

//offset is the row in the current galois field 
table where a coset member's representation is located 
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int offset = (j* ( 2 << (k-1)) ) % ( 

table.field_size-l) ; 

//printf("\tK: [%d/%d]\n",k, 

table.extn_degree); 

// printf("C%d is in this coset \n", offset); 

coset_array[ offset ] = 2;//coset_array[j]==2 

means that it is a coset member in a coset where one of the members 
whose trace has already been computed. Since elements in the coset are 
either all red/irred, we only need to check one. 

trace_table[k][0] = table.curr[offset][0]; 
trace_table[k][1] = table.curr[offset][1]; 

//printf("\tK: --[%d/%d]\n",k, 

table.extn_degree); 

}//end for (k=l..extn_degre).. 

//determine trace 

left_trace = 

circle_add(trace_table[0][0],trace_table[1][0], table); 

for (int n =2; n < table.extn degree; n++) 

{ 

left_trace = circle_add(left_trace, 

trace_table[n][0], table); 

} 

rt_trace = 

circle_add(trace_table[0][1],trace_table[1][1], table); 

for (int n =2; n < table.extn degree; n++) 

{ 

rt_trace = circle_add(rt_trace, 

trace_table[n][1], table); 

} 

//print trace 

//printf ("trace of c %d is: %d %d\n", j, left_trace, 

rt_trace); 

if((left_trace==STAR) && (rt_trace==STAR)) 

// printf("x^2 + x + c^%d is reducible\n\n", j); 

;//ghetto hack, but oh well. semicolon NOT 
needed if the print statement is not commented out. 

else if ((left_trace ==STAR) && (rt_trace ==0)) 

{ 

// printf("x^2 + x + c^%d is irreducible\n", j); 

order = check_order(j, table); 

if (order == (table.prev field size - 1)) 

{ 

//put j in the vector 
ret.push_back(j); 

for (int k = 1; k <table.extn degree; 

k++) 

{ 

//sanity check the bits 
if (high_bit_pos(j) + 

high bit pos((2<<(k-1))) >= sanity check num + 1) 
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Numbers out 


fprintf(stderr, 

of range. Need more bits in the machine."); 

exit(0); 

} 

int offset = (j* ( 2 << (k-1)) ) 

% ( table.field size-1) ; 


offset) ; 


//put coset members in here 
ret.push_back(offset); 

//printf("C%d is in this coset \n", 

}//end for 


// printf("x^2 + x + c^%d is 

primitive.\n\n", j); 


}//end if 
else 

// printf ("x^2 + x + c^%d is not primitive 

with period %d\n\n", j, order); 

;//ghetto hack again, semicolon NOT needed if 
the print statement is not commented out. 

}//end else if 

elseZ/Trace should only be one of two things. if 
trace is wrong, this will catch it and give you an error message. 

{ 

printf ("error. trace is *not* correctin''); 
printf("left trace = %d, rt_trace = %d\n", 

left_trace, rt_trace); 

} 

}//end if 
}//end for 
printf("\n"); 
return ret; 

}//end coset_trace 

//print table prints the elements of the field whose galois table 
struct it is passed 

void print table (galois table table) 

{ 

int i; 

//fprintf(stderr," |C |\n\n"); 

for (int 1=0; i < table.field size - 1; i++) 

{ 

printf("root^%d: ", i); 
if (table.curr[i][0] == STAR) 
printf("STAR,"); 

else 

printf("%4d,", table.curr[i] [ 0]); 

if (table.curr[i][1] == STAR) 
printf("STAR\n"); 

else 

printf("%4d\n", table.curr[i] [ 1]); 
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} 


}//end print_table 

//check order takes a field element and finds its order in the previous 
galois field, returns the order, check order assumes the element passed 
to it is not 0! ! ! 

int type check order(int type number, galois table table) 

{ _ _ _ 

//find order of number in prev field 
// *** assumes number is not 0! *** 
int type test = number; 
int_type order = 1; 

while(test != 0) 

{ 

test = (test + number) % (table.prev field size - 1); 
order++; 

}//end while 

return order; 


}//end check_order 

//calc roots prints out the location in the current field of all 
previously seen roots 

void calc_roots(galois_table table, int_type top_field_size, int_type 
prev_root_pos, int_type times) 

{ 

int_type curr_root_pos; 

if(high_bit_pos(prev_root_pos) + 

high bit pos(table.root position) >= sanity check num +1 ) 

fprintf (stderr, "Numbers of out range. Need more bits on 
the machine."); 

exit(0); 

} 

curr_root_pos = (prev_root_pos * table.root_position) % 

(top_field_size - 1); 

// printf("prev_root_pos is: %d table.root_position is: %d 

top_field_size is: %d curr_root_pos is: %d\n", prev_root_pos, 
table.root_position, top_field_size, curr_root_pos); 

if(times == 4)//last time 

{ 

printf("position of root from degree %d extension is: 
%d\n", times, curr_root_pos); 

} 

else if (times > 4)//not last time, so waant to print stuff and 
call function again 
{ 


59 



extension is: 


printf("position of root from degree %d 
%d\n", times, curr_root_pos); 

calc_roots(*(table.prev), top_field_size, curr_root_pos, 

(times/2)); 

} 


}//end calc_roots 

//high bit pos takes a number and returns the highest bit position 
needed to represent the number in binary 
int type high bit pos(int_type number) 

{ “ 

int_type count = 0; 

for(int type temp = number; temp>l; temp = temp >>1) 

{ 

count++; 

} 

return count; 

}//end high bit num 


60 



APPENDIX E. CHARTS 


Appendix E contains the charts that are a visual representation of the fields 
generated by polynomials of the form +x + a‘ for a primitive element a . These charts 
also show which powers of the current primitive root are equal to previous primitive 
roots. 
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d*56797=t) d *48059=4) d*4369=b d*e738=b d*61166=b d*56797=b 

dM3433=c d^aisaisc , d*53456=c d*41377=c d*50629=c 0*35723=0 
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d'«1l66=b d*66797=l) d'04952=b dM3693b d''3058a=b d'^116&ib 

dM3433=c d‘'21331=c d*5345^ dM1377=c d^5062&=c d''35723=c 
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x2.x.c2’2 ,2^^^236 ^,^233 

d*21845=a dM3690=a d^2184Sxa dM3890=a dMa690=a d''21845=a 

dM8059=D d'^0583=0 d^738=b d*17478=b d''56797=b dMa059=b 

dM3433=C d''21331=C d*53456=C dM1377=c . d''50629=C d''35723=C 
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